PCI Compliance (PCI DSS)
IMPORTANT INFORMATION REGARDING CARD ACCEPTANCE AND PCI-DSS
If you have a merchant account with Rentec Direct, that you use to collect application fees online or if any of your tenants pay rent via credit card, you are required to be compliant with the PCI-DSS at all times to protect the cardholder data you handle daily.
PCI compliance is a legal requirement created by the credit card industry. All companies worldwide, no matter what merchant provider they use, must prove their PCI compliance if they process credit card payments.
Only Rentec Direct clients who have been approved for credit/debit card payment processing need to follow the PCI compliance guidelines. If you only process payments via ACH you do not need to do anything.
3 WAYS YOU CAN MEET PCI-DSS COMPLIANCE
- Self-assessment – You may choose to do your own PCI compliance assessment by completing the Self-Assessment Questionnaire – Form A. While this form looks lengthy, completing the Self-Assessment is relatively straightforward since you do not store credit card data as a Rentec Direct credit card merchant. This form is designed to help you analyze your security and understand the security methods that banks require of merchants. This is a self-assessment and does not need to be turned in.
To complete a PCI self-assessment you need to fill out the Self-Assessment Questionnaire A. This form is provided by the PCI Security Standards Council and should be saved in case ever requested by CSG Forte.
Click the following link to download a copy of the Self-Assessment found here: Self-Assessment Questionnaire – Form A.
Tip: A sample, showing you how to fill out the form, can be found here: PCI Compliance Sample Assessment (Note: best viewed in the Chrome browser)
- Assess and validate PCI-DSS compliance through a third-party Qualified Security Assessor(QSA) of your choice, choosing from the list provided on the PCI Security Standards Council website, then provide a copy of your Attestation of Compliance and Scan if requested.
- Enroll in Forte’s PCI-DSS Compliance Program – For $7.99 a month you can enroll in Forte’s Compliance Program (THIS IS AN OPTIONAL PROGRAM). The cost of the program includes online instruction and assistance with registration and completion of the PCI online questionnaire, individualized response for any questions you have in completing the questionnaire, notification of PCI compliant status, and ongoing monthly vulnerability scans of your systems.
More information on Forte's PCI-DSS Compliance Program here: CSG Forte Payment Solutions PCI-DSS Compliance Program
Additional information about PCI Compliance can be found here: PCI Compliance
Common PCI Questions
How long does the certification last?
Certification is good for 12 months as long as there are no major changes in the network.
But I don’t store credit card information. Do I still have to complete the PCI compliance requirements?
Yes, even if you don’t store or touch any credit card information you still need to complete the compliance requirements. This is a rule from all the major credit card companies, not from Rentec Direct, and it’s imposed on all companies worldwide that accept credit cards. In fact, the majority of Rentec Direct clients never physically touch a credit card, since most of the time your tenants are inputting their own payment information online. However, just because you don’t store cardholder data doesn’t mean it can’t be stolen. To protect your tenants and your business, you still need to be PCI compliant to mitigate the risk of hackers and malicious software.
What is PCI?
PCI is all about protecting cardholder data. Prior to 2006, all of the major card brands (Visa, Mastercard, Discover, American Express and JCB) each had their own security requirements. In 2006, they decided there needed to be consistency in security requirements across the playing field. As a result, they created a group called the PCI Security Standards Council. The Council was tasked with creating a single, system-wide standard that would apply to all merchants, members, and service providers globally.
The Council created a set of standards called the Payment Card Industry’s Data Security Standards (PCI-DSS). The PCI-DSS states that PCI Data Security Requirements apply to all members, merchants and service providers that store, process or transmit cardholder data.
Every merchant who processes, stores or transmits cardholder data is subject to PCI and must demonstrate compliance. This is a worldwide initiative.